Part 2 – Request, Fulfill, Complete and Assign a Third Party Certificate

Setting up AD FS requires the use of a third party SSL certificate. Please see this BLOG post for certificate requirements. In a production situation, I would recommend that a single name SSL certificate. Wildcard and multi-name certificates will work, but I like to keep things simple and use a standard SSL certificate in a production situation. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name, STS (secure token service). In the example below, I have used the value sts.domain.com.

 

Create the SSL Certificate Request (CSR)

 

  1. Open Server Manager

     

  2. Click Tools

     

  3. Click Internet Information Services (IIS) Manager

     

  4. Select the local server

     

  5. Select Server Certificates

     

  6. Click Open Feature (actions pane)

     

  7. Click Create Certificate Request

     

  8. Fill out the certificate request properties. Make sure that the common name matches what you plan to call the AD FS server farm. Microsoft best practices recommends that you use the host name STS (secure token service). In the example below, I have used the value sts.domain.com.

     

  9. Click Next

     

  10. Leave the Cryptographic service provider at the default

     

  11. Change the Bit Length to 2048

     

  12. Click Next

     

  13. Select a location for the request file

     

  14. Click Finish

 

Fulfill the Certificate Signing Request (CSR)

We need to take the CSR generated in the last step to a third party SSL certificate provider. I choose to use GoDaddy. Here are GoDaddy’s instructions to fulfill the CSR at their site – Requesting a Standard or Wildcard SSL Certificate. Once the certificate is issued, download the completed CSR to the AD FS server.

 

Complete the Certificate Request (CSR)

 

  1. Open Server Manager

     

  2. Click Tools

     

  3. Click Internet Information Services (IIS) Manager

     

  4. Select the local server

     

  5. Select Server Certificates

     

  6. Click Open Feature (actions pane)

     

  7. Click Complete Certificate Request

     

  8. Select the path to the complete CSR file that you competed and downloaded from the third party certificate provider

     

  9. Enter the friendly name for the certificate

     

  10. Select Personal as the certificate store

     

  11. Click OK

     

  12. The certificate will be added

     

***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When your certificate is added, it should show sts.domain.com, which matches the request.

 

Assign the Completed SSL Certificate

 

Now that we have the third party certificate completed on the server, we need to assign and bind it to the default website (HTTPS port 443).

  1. Expand the local server

     

  2. Expand Sites

     

  3. Select Default Web Site

     

  4. Click Bindings (actions pane)

     

  5. Click Add

     

  6. Change the type to HTTPS

     

  7. Select your certificate from the drop down menu.

     

    ***Note*** The certificate shown below is a multi-name SSL certificate for my lab environment. When you select your certificate, it should show sts.domain.com, which matches the competed certificate.

     

  8. Click OK

     

  9. Click Close

     

  10. Close IIS Manager

 

Getting to know the NEW Office 365

  1. Does Microsoft have FREE training for the NEW Office 365?
  2. Signing up for the NEW Office 365
  3. Adding and Verifying a Domain for the NEW Office 365
  4. Creating Cloud Users for the NEW Office 365
  5. Configuring Desktops for the NEW Office 365
  6. Exchange 2003 Cutover Migration to the NEW Office 365
  7. Exchange 2007 Cutover Migration to the NEW Office 365
  8. Setting up AD FS and Enabling Single Sign-On to the NEW Office 365
  9. Setting up AD FS Proxy Servers for Single Sign-On to the NEW Office 365
  10. Setting up Directory Synchronization with the NEW Office 365
  11. Activating and Licensing a Synchronized User in the NEW Office 365
  12. Testing Single Sign-on to the NEW Office 365
  13. Making the Single Sign-On Solution Highly Available
  14. Exchange Hybrid Deployment with the NEW Office 365

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

4 thoughts on “Part 2 – Request, Fulfill, Complete and Assign a Third Party Certificate

  1. Wale Olo

    Thanks so much for your wonderful pieces especially on Office 365. Please I have some pertinent questions which I hope you will help me to answer:

    1. Do you have any step by step guidelines for implementing hybrid configuration from Exchange 2003(using Exchange 2010 as hybrid server) to office 365?

    2. Can I use the same SSL certificate for both ADFS and WAP server or do I need to purchase a separate SSL certificate for the WAP implementation?

    I look forward to hearing from you for answers to these two questions. Thanks for your help

    Wale

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Use the Exchange Deployment Assistant for the step by step. There are so many things that are different from a standard deployment and the EDA covers the basics.

      Use the same SSL cert for the ADFS and WAP servers in the farm.

      Reply
  2. Pingback: Setting up AD FS and Enabling Single Sign-On to the NEW Office 365 | Office 365 Technical Support Blog

Leave a Reply